CVE-2024-41048: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it to kmap_local_page() and to page_address(), then kernel panics. To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), if copy is zero, that means it's a zero length skb, skip invoking copy_page_to_iter(). We are using the EFAULT return triggered by copy_page_to_iter to check for is_fin in tcp_bpf.c.
AI Analysis
Technical Summary
CVE-2024-41048 is a vulnerability in the Linux kernel affecting the sk_msg_recvmsg() function within the skmsg subsystem, specifically triggered on Loongarch architecture platforms. The issue arises when a zero-length socket buffer (skb) is processed, which corresponds to a TCP FIN packet sent by the shutdown() system call. In this scenario, the zero-length skb is enqueued with an empty scatter-gather entry (sge) that contains no associated memory page. When sk_msg_recvmsg() attempts to process this skb, it calls copy_page_to_iter() with a NULL page pointer, leading to a kernel panic due to a NULL pointer dereference in page_address(). This behavior is architecture-dependent: on x86 platforms, the NULL page dereference does not cause a panic and thus the bug remained hidden, but on Loongarch platforms it results in a fatal kernel exception and system crash. The root cause is that the zero-length skb is not properly skipped during message reception, causing the kernel to attempt to access invalid memory. The fix involves modifying sk_msg_recvmsg() to detect zero-length skbs and skip the copy_page_to_iter() call, preventing the NULL pointer dereference and subsequent panic. This vulnerability was discovered during BPF selftests involving sockmap_basic tests on Loongarch hardware and is specific to kernel versions around 6.10.0-rc2+ as tested. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is significant because it can cause a denial of service (DoS) via kernel panic on affected systems, impacting system availability and stability.
Potential Impact
For European organizations, the primary impact of CVE-2024-41048 is a potential denial of service condition on Linux systems running on Loongarch architecture hardware. Although Loongarch is a less common architecture compared to x86_64 or ARM in Europe, organizations using specialized or emerging hardware platforms based on Loongarch could experience unexpected kernel panics and system crashes when running workloads involving BPF programs or socket message handling, particularly those using TCP shutdown operations. This could disrupt critical services, especially in environments relying on Linux kernel features like BPF for networking or security monitoring. The vulnerability does not appear to allow privilege escalation or remote code execution, limiting its impact to availability. However, the forced kernel panic could cause downtime, data loss, or service interruptions. Since the bug is triggered by specific socket operations, applications or services that perform TCP shutdowns or use advanced socket features may be more susceptible. European organizations with research, development, or deployment of Loongarch-based Linux systems should prioritize patching to maintain system reliability. The vulnerability is less likely to affect mainstream Linux deployments on x86 or ARM architectures prevalent in Europe, but awareness is important for niche or emerging platform users.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-41048 as soon as they become available, particularly for kernels running on Loongarch platforms. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. For organizations using Loongarch-based Linux systems, avoid running untrusted or experimental BPF programs or socket tests that could trigger the vulnerability until patched. 3. Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime in case of kernel panics. 4. Conduct thorough testing of network applications that use TCP shutdown calls or advanced socket message handling on Loongarch hardware to identify potential triggers. 5. Engage with hardware and Linux distribution vendors to ensure timely delivery of patched kernels and backports for affected versions. 6. Consider architectural diversity or fallback mechanisms in critical environments to mitigate risks from platform-specific kernel bugs. 7. Maintain up-to-date backups and disaster recovery plans to minimize impact from unexpected system crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Finland, Sweden
CVE-2024-41048: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it to kmap_local_page() and to page_address(), then kernel panics. To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), if copy is zero, that means it's a zero length skb, skip invoking copy_page_to_iter(). We are using the EFAULT return triggered by copy_page_to_iter to check for is_fin in tcp_bpf.c.
AI-Powered Analysis
Technical Analysis
CVE-2024-41048 is a vulnerability in the Linux kernel affecting the sk_msg_recvmsg() function within the skmsg subsystem, specifically triggered on Loongarch architecture platforms. The issue arises when a zero-length socket buffer (skb) is processed, which corresponds to a TCP FIN packet sent by the shutdown() system call. In this scenario, the zero-length skb is enqueued with an empty scatter-gather entry (sge) that contains no associated memory page. When sk_msg_recvmsg() attempts to process this skb, it calls copy_page_to_iter() with a NULL page pointer, leading to a kernel panic due to a NULL pointer dereference in page_address(). This behavior is architecture-dependent: on x86 platforms, the NULL page dereference does not cause a panic and thus the bug remained hidden, but on Loongarch platforms it results in a fatal kernel exception and system crash. The root cause is that the zero-length skb is not properly skipped during message reception, causing the kernel to attempt to access invalid memory. The fix involves modifying sk_msg_recvmsg() to detect zero-length skbs and skip the copy_page_to_iter() call, preventing the NULL pointer dereference and subsequent panic. This vulnerability was discovered during BPF selftests involving sockmap_basic tests on Loongarch hardware and is specific to kernel versions around 6.10.0-rc2+ as tested. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is significant because it can cause a denial of service (DoS) via kernel panic on affected systems, impacting system availability and stability.
Potential Impact
For European organizations, the primary impact of CVE-2024-41048 is a potential denial of service condition on Linux systems running on Loongarch architecture hardware. Although Loongarch is a less common architecture compared to x86_64 or ARM in Europe, organizations using specialized or emerging hardware platforms based on Loongarch could experience unexpected kernel panics and system crashes when running workloads involving BPF programs or socket message handling, particularly those using TCP shutdown operations. This could disrupt critical services, especially in environments relying on Linux kernel features like BPF for networking or security monitoring. The vulnerability does not appear to allow privilege escalation or remote code execution, limiting its impact to availability. However, the forced kernel panic could cause downtime, data loss, or service interruptions. Since the bug is triggered by specific socket operations, applications or services that perform TCP shutdowns or use advanced socket features may be more susceptible. European organizations with research, development, or deployment of Loongarch-based Linux systems should prioritize patching to maintain system reliability. The vulnerability is less likely to affect mainstream Linux deployments on x86 or ARM architectures prevalent in Europe, but awareness is important for niche or emerging platform users.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-41048 as soon as they become available, particularly for kernels running on Loongarch platforms. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. For organizations using Loongarch-based Linux systems, avoid running untrusted or experimental BPF programs or socket tests that could trigger the vulnerability until patched. 3. Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime in case of kernel panics. 4. Conduct thorough testing of network applications that use TCP shutdown calls or advanced socket message handling on Loongarch hardware to identify potential triggers. 5. Engage with hardware and Linux distribution vendors to ensure timely delivery of patched kernels and backports for affected versions. 6. Consider architectural diversity or fallback mechanisms in critical environments to mitigate risks from platform-specific kernel bugs. 7. Maintain up-to-date backups and disaster recovery plans to minimize impact from unexpected system crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.625Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1748
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:56:04 AM
Last updated: 7/30/2025, 10:40:43 PM
Views: 9
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.